Sponsored by..

Showing posts with label Latvia. Show all posts
Showing posts with label Latvia. Show all posts

Monday, 17 April 2017

Malware spam: "RE: RE: ftc refund" / secretary@ftccomplaintassistant.com

This fake FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC fine, but this is almost definitely a coincidence.

From:    Federal Trade Commission [secretary@ftccomplaintassistant.com]
Date:    17 April 2017 at 15:25
Subject:    RE: RE: ftc refund


It seems we can claim a refund from the FTC.
Check this out and give me a call.
https://www.ftc.gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ftccomplaintassistant.com
212-0061570

The link in the email actually goes to a URL beginning http://thecomplete180.com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 (so for president@whitehouse.gov it would be http://thecomplete180.com/view.php?id=NjI4MXByZXNpZGVudEB3aGl0ZWhvdXNlLmdvdjU0MzQ=)

Obviously this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56. The Word document itself tries to persuade victims to enable macros, which would be a bad idea.


Automated analysis [1] [2] shows network traffic to:

wasstalwihis.com/bdk/gate.php
littperevengpa.com/ls5/forum.php
littperevengpa.com/mlu/forum.php
littperevengpa.com/d1/about.php
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/a1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/1
hybridinformatica.com.br/blog/wp-content/themes/twentyeleven/inc/2


It also appears to start sending traffic via Tor, which is a good reason to monitor Tor on your network. All sorts of files are dropped, most of which don't seem to be particularly malicious. "Gate.php" indicates a Pony downloader, but this does look like a tricky bugger.

Out of the domains contacted, littperevengpa.com and wasstalwihis.com shared the same registrant details and look fairly evil. We can associate the same registrant with the following domains:

soinwarep.com
ronwronsednot.com
withwasnothar.com
dingandrinfe.com
troverylit.com
derby-au.com
utonerutoft.com
situghlacsof.com
tinjecofsand.com
fortotrolhec.com
fydoratot.com
redwronwassdo.com
ronkeddari.com
littperevengpa.com
suranfortrep.com
newbillingplace.com
usps-daily-delivery.com
ringcentral-fax-inbox.com
wassheckgehan.com
wasstalwihis.com
meredondidn.com
satertdiut.com
vernothesled.com
veuntedund.com
ranwithtorsdo.com
notwipaar.com
dintrogela.com
adp-monthly-billling.com
rigakeddo.com
random-billing.com
hetoftinbut.com
hemlittratdidn.com

Perhaps more usefully, we can associate that registrant with the following IPs:

178.170.189.254 [hostname: nejokexulag.example.com] (Servachok Ltd, Russia)
185.146.1.4 (PS Internet Company LLC, Kazakhstan)
185.48.56.63 (Sinarohost, Netherlands)
185.80.53.76 (HZ Hosting, Bulgaria)
188.127.237.232 (SmartApe, Russia)
193.105.240.2 (Sia Vps Hosting, Latvia)
194.1.239.63 [hostname: nejokexulag.example.com] (Internet Hosting Ltd, Russia)
195.54.163.94 (PE Dobrogivskiy Muroslav Petrovich, Ukraine)
212.116.113.108 (Prometey Ltd, Russia)
46.148.26.87 [hostname: nejokexulag.infium.net] (Infium UAB, Ukraine)
47.90.202.88 (Alibaba.com, China)
77.246.149.100 [hostname: nejokexulag.e-vds.ru] (E-planet Ltd, Russia)
87.118.126.207 (Keyweb AG, Germany)
88.214.236.158 (Overoptic Systems, Russia)
91.230.211.67 [hostname: nejokexulag.freeopti.ru] (Optibit LLC, Russia)
93.189.43.36 (NTCOM, Russia)

This gives us a pretty useful minimum blocklist:

178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36




Monday, 19 December 2016

Malware spam: "Payslip for the month Dec 2016." leads to Locky

This fake financial spam leads to Locky ransomware:

From:    PATRICA GROVES
Date:    19 December 2016 at 10:12
Subject:    Payslip for the month Dec 2016.

Dear customer,

We are sending your payslip for the month Dec 2016 as an attachment with this mail.

Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.

This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.

According to my usual reliable source, the various versions of this download a component from one of the following locations:

023pc.cn/8hrnv3
aguamineralsantacruz.com.br/8hrnv3
allard-g.be/8hrnv3
as-kanal-rohrreinigung.de/8hrnv3
aspecta-aso.net/8hrnv3
audehd.com/8hrnv3
audreyetsteve.fr/8hrnv3
baugildealtmark.de/8hrnv3
berstetaler.de/8hrnv3
birdhausdesign.com/8hrnv3
bperes.com.br/8hrnv3
brainfreezeapp.com/8hrnv3
delreywindows.com/8hrnv3
democracyandsecurity.org/8hrnv3
factoryfreeapparel.com/8hrnv3
garosero5.com/8hrnv3
globaser3000.com/8hrnv3
grafiquesvaros.com/8hrnv3
routerpanyoso.50webs.com/8hrnv3
skyers.awardspace.com/8hrnv3
www.andmax-rehabilitacja.pl/8hrnv3
www.bandhiga.com/8hrnv3
www.clinicafisiosan.com/8hrnv3
www.de-klinker.be/8hrnv3
www.foyerstg.pro/8hrnv3
www.globalchristiantrust.com/8hrnv3
www.neumayr-alkoven.com/8hrnv3
zimbabweaids.awardspace.com/8hrnv3

The malware then phones home to one of the following locations:

176.121.14.95/checkupdate (Rinet LLC, Ukraine)
193.201.225.124/checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76/checkupdate (SmartApe, Russia)
46.148.26.82/checkupdate (Infium, Latvia / Ukraine)


A DLL is dropped with a detection rate of 12/52.

Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82



Thursday, 15 December 2016

Malware spam: "Payment Processing Problem" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Juliet Langley
Date:    15 December 2016 at 23:17
Subject:    Payment Processing Problem

Dear [redacted],

We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.


-
King Regards,
Juliet Langley

The name of the sender will vary, as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js.

My trusted source says that the scripts download a component from one of the following locations:

028cdxyk.com/mltxgc1
1688daigou.com/csuix
2lazy4u.de/ca4yq
adv-tech.ru/7p1jia
allan.multimediedesignerskive.dk/pohtr8mwl
amaniinitiative.org/ubaupn
artcoredesign.com/9ihg6by
atelier-coccolino.com/cvpphnaf7o
auto-zakaz.com.ua/phwcg
bantiki.me/hzzgidch
bikebrowse.com/qap3je2
blueprint-dsg.com/dtr22
bvntech.com/amrwwxei
chonamyoung.com/9vsdld
cprsim.com/h9o3msx
dealspari.com/r2jvx5h6kc
demo.ahost5.ru/dhvzqqbo
demo.pornuha4you.com/lba7ajvti
deutsch.awardspace.info/0zetkhmp
dicksmacker.com/qq4ctnrgc
dryerventexpress.com/pnpafot9g
elevationmusic.de/6gcg6
e-studiz.com/hn0hl7i
formatwerbung.de/axxlilgd
gieslerdavies.com/cjhwnit
goldenarms.myjino.ru/3wn40qkg
gwerucity.org.zw/a3fsqhu9od
happyfeet.de/7rebctpqn5
hho68.com/hbowe
honestflooring.com/85i95u6vd
houssiere.daniel.formations-web.alsace/npqddd8b
infinitecorp.ca/to7jp7
kawagebook.com/5cbwdd5hap
kayamuh.sarf.com.tr/nou0chc
ledticket.com/pbmcdnx5rj
lucapotenziani.com/zjtguxf
mainlinecarriers.co.tz/ycj7o
martawyczynska.com/ilfvn
mbdvacations.com/ou8kkem
movewithgrace.ca/r8omwc
obccllc.com/tze5um3hh
old.strommarnas.se/yazezuw7og
seven-cards.com/xe2llygi
spikaflora.ru/zyubd6mlb
store.elixe.net/jltuvjpcsh
test1.zrise.top/isk90e
testlife.ruyigou.com/pv2ryezg7
theexcelconsultant.com/vp9u7tpa
thezenatwork.com/yd2c49vg0
topstoneisland.com/ud4jqd
tunca.bel.tr/uo3jnqkgxn
ustadhanif.com/q0w93lkrvp
www.boldrini.org.br/csneth51
www.chocolaterie-servant.com/1l38y2p
www.englishworld.it/w6ynmr
www.kottalgenealogy.com/vkwf5rll0s
www.sapol.it/ou8e1ftep
zapotech.com/sqagj4
zhongguanjiaoshi.com/mklu7

The malware then phones home to the following locations:

185.129.148.56/checkupdate (MWTV, Latvia)
178.209.51.223/checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119/checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)


Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119

Malware spam: "Amount Payable" leads to Locky

This fake financial spam leads to Locky ransomware:

From:    Lynn Drake
Date:    15 December 2016 at 09:55
Subject:    Amount Payable

Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.


-
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js. The highly obfuscated script of one sample can be seen here. Typical detection rates for the script are around 16/54.

There are many different scripts, downloading a component from one of the following locations (thanks to my usual reliable source):

0668.com/k5bhgn
250sb.com./jynvmx
addwords.com.tr/aah6qmhv
anti-dust.ru/7k6cp
asdream.pl/gbbs1c
atio.li/exjik
bappeda.dharmasrayakab.go.id/dlhalychp
braindouble.com/uycx51ix
buhoutserts.ru/ufdazc6vv
casino-okinawa.com/ejguf
catherineduret.ch/5qpqi5ezp
chinaxw.org/xw1ju7y6zc
chungcuvinhomemydinh.com/6dvjasf
crolic88.myjino.ru/1ddig
demo.shispare.com/bvsjq
environment.ae/0od5hn
forbrent.com/h9kqgq
fyd123.cn/kib6h2d9ga
groupeelectrogeneservice.com/eefpeywf9z
hedefosgb.com/dpyzsb6u
hlonline.kentucky.com/i7z78
innercityarts.squaremdesign.com/dyo1w7
jianhu365.com/z9puqdj2eu
malamut.org/gizb2zq
obaloco.com.br/67mfj
peopleprofit.in/pyihdg
roman64.humlak.cz/7bnisgf
rulebraker.ru/zsw4cnf9o
scaune.qmagazin.ro/5hktu4h
slankmethode.nl/4zzq1am
subys.com/mjguriv80
szwanrong.com/x5qxzpjsi
tecnomundo.uy/a8rnlgzv
test1.giaiphaponline.org/0ytdjs1
test.sousouyo.com/feaetpnuee
theamericanwake.com/xw1ju7y6zc
travelinsider.com.au/mwaefb4b
trietlong.net/heyus
tx318.com/kqe4ca
ucbus.net/usdxqqt6
u-niwon.com/kmjg6j9ske
vaaren.dk/ogcz6ys0d
viscarci.com/wyqs6353
walkonwheels.net.au/qmd1uu
wdcd999.com/lm5z2snyqn
web-shuttle.in/eeo9oc
windshieldrepairvancouver.ca/qcp8k7
wiselysoft.com/qcymgbug7
wszystkodokuchni.pl/sl5yko7
wudiai.com/mc3hnwd
www.espansioneimmobiliare.com/akktnck
www.myboatplans.net/6d7ukeco6
wx.utaidu.com/1eybujbru
xlr8services.com/n970foumf
xn--k1affefe.xn--p1ai/8wzzjk24u
youspeak.pt/liowrtxs
yukngobrol.com/h7sfu
zhiyuw.com/qfbdcvrul
zwljfc.com/ld1pvjozu
zzzort10xtest123.com/nin5k3bwo

According to this Malwr analysis, a DLL is dropped with a detection rate of 18/55.  This Hybrid Analysis shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:

86.110.117.155/checkupdate (Rustelekom, Russia)
185.129.148.56/checkupdate (MWTV, Latvia)
185.17.120.166/checkupdate (Rustelekom, Russia)


MWTV is a known bad host, so I recommend blocking the entire /24.

Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166


Friday, 9 December 2016

Malware spam: "Firewall Software" leads to Locky

This spam appears to come from multiple senders and leads to Locky ransomware:

From:    Herman Middleton
Date:    9 December 2016 at 07:40
Subject:    Firewall Software

Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.

Please check it out.


--
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.

The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:

107.181.187.97/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
51.254.141.213/checkupdate (OVH, France)


It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:

91.142.90.46/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
195.123.209.23/checkupdate [hostame: prujio.com] (Layer6, Latvia)
185.127.24.247/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
185.46.11.236/checkupdate (Agava, Russia)
178.159.42.248/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)


Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.

Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24


Wednesday, 23 November 2016

Malware spam "Please Pay Attention" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Please Pay Attention
From:     Bill Rivera
Date:     Wednesday, 23 November 2016, 9:45

Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.

This particular script (and there will be others) downloads a malicious component from one of the following locations:

nielsredeker.nl/gmcoirnrm
gurlfanam.net/krwjx
vedicmotet.com/61y7mljr4
praam.cz/iessl
nightpeople.co.il/xklqq33nr

According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.

The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:

95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
195.123.209.8/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
213.32.66.16/information.cgi (OVH, France)


Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16

Tuesday, 8 November 2016

Malware spam: "Suspicious movements" leads to Locky

This fake financial spam leads to Locky ransomware:

Subject:     Suspicious movements
From:     Marlene Parrish
Date:     Tuesday, 8 November 2016, 12:52

Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
Examine the attached scanned record. If you need more information, feel free to contact me.
---
King regards,
Marlene Parrish
Account Manager
Tel.: 202-328-1800
U.S. Office of Personnel Management
1189 E Street, NW
Washington, DC 20415-1000
The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js) which looks like this (note the insane amount of whitespace).

That particular script downloads a malicious component from one of the following locations:

vexerrais.net/6sbdh
centinel.ca/wkr1j6n
3-50-90.ru/u4y5t
alpermetalsanayi.com/vuvls
flurrbinh.net/6mz3c5q


There will probably be other download locations. This Hybrid Analysis and this Malwr report show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56.

UPDATE

My usual reliable source (thank you) informs me that there are indeed C2 servers (see the end of the post). The download locations are as follows:

3-50-90.ru/u4y5t
365aiwu.net/hbdo6
85.92.144.157/y8giadzn
abclala.com/r2kvg2
abercrombiesales.com/nmuch6
accenti.mx/nryojp
acrilion.ru/84m9t
adriandomini.com.ar/bq62dx10
agorarestaurant.ro/cg06f
ajmontanaro.com/q9giar
alpermetalsanayi.com/vuvls
antivirus.co.th/jukwebgk
apidesign.ca/ijau8q2z
archmod.com/sapma828
assetcomputers.com.au/lkfpyww
avon2you.ru/ayz1waqm
ayurvedic.by/b9kk9k
babuandanji.jp/lq9kay
bepxep.com/mo05j41
berrysbarber.com/q6qsnfpf
bielpak.pl/a79a64h
bjshicheng.com/blewwab
bst.tw/gnjeebt
cafedelrey.es/snby1c
centinel.ca/wkr1j6n
cgrs168.com/xmej0mc
chandrphen.com/h4b1k
chaturk.com/mxaxemv1
cheedellahousing.com/h24ph1
ck.co.th/r2k6i6
codanuscorp.com/ay5v52r1
comovan.t5.com.br/byev5nd
competc.ca/qrc9n
concern-block.ru/nijp1xq
corinnenewton.ca/ctlt8b
cosmobalance.com/jsqlt0g
dekoral.eu/twnyr1s
dessde.com/zcwaya
dinglihn.com/zg3pnsj
dmamart.com/c5l2p
donrigsby.com/nts0mk
dowfrecap.net/0d08tp
dowfrecap.net/3muv7
dowfrecap.net/6f9tho
dowfrecap.net/7qd7rck9
drkitchen.ca/y5jllxe
drmulchandani.com/d6ymtf62
dunyam.ru/jge1b3e
dwcell.com/dph861ws
earthboundpermaculture.org/okez95b
edrian.com/dfc33k67
edubit.eu/b6ye94wv
eldamennska.is/h4yim
elektronstore.it/z298ejb9
elleart.nl/gn3pim41
eroger.be/918p2q
fibrotek.com/deoq2
flurrbinh.net/0nbir64
flurrbinh.net/3nrgpb
flurrbinh.net/6mz3c5q
flurrbinh.net/7wi66hp
geethikabedcollege.com/766epkuj
handsomegroup.com/ae2y1hr0
inzt.net/lbrisge
lashouli.com/rq4xoq3
odinmanto.com/0cz2zwz
odinmanto.com/2rw12
odinmanto.com/57evyr
odinmanto.com/7gplz
pastelesallegro.mx/ex67ri8
thisnspeel.com/04u77s
thisnspeel.com/2qrn06f
thisnspeel.com/3ypojyl0
thisnspeel.com/766epkuj
vexerrais.net/1jk8n
vexerrais.net/3nx3w
vexerrais.net/6sbdh
vexerrais.net/84fwijj
villaamericana.net/84fwijj
www.cutillas.fr/lmc80sdb

C2s:

185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd, Ukraine)
195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Latvia)
185.102.136.127/message.php [hostname: koltsov12.mgn-host.ru] (MGNHost, Russia)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
185.67.0.102
195.123.211.229
185.102.136.127
188.65.211.181



Monday, 7 November 2016

Malware spam: "Financial documents" leads to Locky

The never-ending Locky ransomware onslaught continues. This fake financial spam has a malicious attachment:

Subject:     Financial documents
From:     Judy Herman
To:     [redacted]
Date:     Monday, 7 November 2016, 10:53

Hi [redacted],

These financial documents need to be uploaded on the system.
Please let me know if you experience any technical problems.

Best Wishes,
Judy Herman 
Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs that looks like this. This particular script (and there will be others like it) attempts to download from:

http://coachatelier.nl/lg8s2
http://bechsautomobiler.dk/m8idi9j
http://desertkingwaterproofing.com/ma4562
http://zapashydro.net/6sgto2bd
http://owkcon.com/6xgohg6i

According to this Hybrid Analysis, the malware then phones home to:

195.123.211.229/message.php [hostname: panteleev.zomro.com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
185.67.0.102/message.php [hostname: endgo.ru] (Hostpro Ltd. / hostpro.com.ua, Ukraine)
188.65.211.181/message.php (Knopp, Russia)


Recommended blocklist:
195.123.211.229
185.67.0.102
188.65.211.181




Thursday, 6 October 2016

Malware spam: "Your Order" and the inevitable Locky

This fake financial spam leads to Locky ransomware:

From:    Adrian Salinas
Date:    6 October 2016 at 10:13
Subject:    Your Order

Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.
Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js

According to my source, these various scripts then download a component from one of the following locations:

activexsearch.com/yggv8
allinfo.xyz.com/zzi5zq2
aquatixbottle.com/yqr8i
askmeproperties.com/xc3db
asknaija.com/wvv5yh
atstory.com/zm2uojf
autokover.ru/z2oc4
b2c-batteries.com/hcgc64j
badimalik.com/dzqzl
bantayan.net/z3z3cc
baomoji.com/y6amo
betwer.com/t21j21t
booltom.com/19abb0h0
booltom.com/5nqlax
booltom.com/7dp0k
booltom.com/8qm9ldj
dipsite.com/r4f2wug
distribuidorabmk.com/wuv2rw
dvdworldmagazine.com/ptibu73
escolaemacao.com/rksgyuj
facerecognition.com.ba/cffdw
feuduprid.com/1xrdgx1j
feuduprid.com/6cpar
feuduprid.com/7sv4ygr9
feuduprid.com/aohsi
fifieoho.com/10a74fd
fifieoho.com/4u29v4
fifieoho.com/74uf3
fifieoho.com/8gplb
hdyzzs.com/qis3lqzw
kristiantouborg.com/trdmz3c
kronosmd.com/oqyxt
kuzeydogalgaz.com/gspiqv
laisou8.com/c4ecj8n
mayrice.net/07il79
mayrice.net/3w7eqv5
mayrice.net/6zok4n
mayrice.net/7uh0f
mgrshs.com/arabn
mmpang.com/h71zo4
mplaylist.com/mw921
nbjzpx.com/n9ih0k
net2008.com/mx93j63z
njykvalve.com/crk5x
numberoneenglish.com/b2v8x8
ofertacar.com/lzdp0id1
oguzhannakliyat.net/nhl290
onji.org/hox0lh
optimize4youseo.com/il9e7
oualili.org/kys133ec
ougelook.com/f7fr3
ozgurbasin.net/ceo09c
pandalove.ru/meft1bs5
peskara.com/n01afb
phaseiv.org/b0uo1
pioneerschina.com/xwks4
pmofmichigan.com/p1inbvn
prettymeuk.com/btvcc
print800.com/p3tw0nst
pro-units.ru/e8uosl
rbwm.ru/wvz996u
relishyomama.org/ebugjjni
sanalgelisim.com/pdjrz8w6
sccxtx.com/gdywsb9
sellflash.com/pjphz
sladetahil.com/1oiyflq
sladetahil.com/6763jdl
sladetahil.com/7fedf3f
sladetahil.com/99f2zg
speakrz.com/oa7ev
tbcthebillingcompany.com/u8uq8t5g
test1.unihost.link/rhh8saz
test.personne.ru/h3x2h682
vudie.com/uco3h8o
westpommern.com/ha0jaeo
winterferienhaus.com/sqfjn29
woodmode-eg.com/o47tu
yepi-games.net/wpp6wl0
zakscott.com/obg7n
zhiwuba.com/ogtkhy

The malware then phones home to the following IPs (belonging pretty much to the usual suspects):

46.8.44.105/apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76/apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21/apache_handler.php (TheFirst-RU, Russia)
217.12.223.78/apache_handler.php (ITL, Ukraine)
46.183.221.134/apache_handler.php (Dataclub, Latvia)

It attempts to contact the following domains, none of which were resolving for me:

vrqhyhyhfoqtetjj.su/apache_handler.php
aukahiofk.click/apache_handler.php
mbjyucltybuujwrec.pl/apache_handler.php
odktufycxibodtlgc.xyz/apache_handler.php
oglvsqvesshcq.work/apache_handler.php
tfgyuhlggusls.ru/apache_handler.php
senawhlqiyl.biz/apache_handler.php
gsrhrrx.su/apache_handler.php
sodugmdutpwo.click/apache_handler.php
ibmwyjowwkvquhftq.info/apache_handler.php
knsyllstwjfv.org/apache_handler.php
pxeuwhmghsnffbn.info/apache_handler.php

Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78


Thursday, 18 August 2016

Malware spam: "The office printer is having problems so I've had to email the UPS label"

This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.

From     "Laurence lumb" [Laurence.lumb25@ups.de]
Date     Thu, 18 Aug 2016 17:35:21 +0530
Subject     Emailing: Label

Good afternoon

The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.

Cheers

Laurence lumb
Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):

a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7


This dropped binary has a detection rate of 6/54. It phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)

Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183






Monday, 15 August 2016

Malware spam: "orderconfirmation@esab.co.uk" / "Order Confirmation-7069-2714739-20160815-292650"

This fake financial spam does not come from ESAB but is instead a simple forgery with a malicious attachment.

From:    orderconfirmation@esab.co.uk
Date:    15 August 2016 at 10:37
Subject:    Order Confirmation-7069-2714739-20160815-292650

_________________________________________________________________
This communication and any files transmitted with it contain information which is confidential and which may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any disclosure, copying, printing or use whatsoever of this communication or the information contained in it is strictly prohibited. If you have received this communication in error, please notify us by e-mail or by telephone as above and then delete the e-mail together with any copies of it.

ESAB does not accept liability for the integrity of this message or for any changes, which may occur in transmission due to network, machine or software failure or manufacture or operator error. Although this communication and any files transmitted with it are believed to be free of any virus or any other defect which might affect any computer or IT system into which they are received and opened, it is the responsibility of the recipient to ensure that they are virus free and no responsibility will be accepted by ESAB for any loss or damage arising in any way from receipt or use thereof. 
Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component from one of the following locations:

marcinha.50webs.com/HJ6bhGHV
marimo1963430.web.fc2.com/HJ6bhGHV
mondialmt2.hi2.ro/HJ6bhGHV
orquestracaravan.com/HJ6bhGHV
turiblo.atspace.com/HJ6bhGHV
www.lancerortho.com/HJ6bhGHV
www.pescatoridelpontile.it/HJ6bhGHV
www.reniero.org/HJ6bhGHV
www.vinyljazzrecords.com/HJ6bhGHV
xn--kukuk-gstrow-jlb.de/HJ6bhGHV


The payload is Locky ransomware with a very low detection rate at present. It phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)
46.148.26.77/php/upload.php (Infium UAB, Ukraine)

The MWTV block is all bad. Recommended blocklist:
185.129.148.0/24
138.201.56.190
46.148.26.77


Friday, 12 August 2016

Malware spam: This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

This spam comes with a malicious attachment:

Subject:     Message from "CUKPR0317276"
From:     scanner@victimdomain.tld (scanner@victimdomain.tld)
To:     webmaster@victimdomain.tld;
Date:     Friday, 12 August 2016, 14:00

This E-mail was sent from "CUKPR0329001" (Aficio MP C305).

Scan Date: 17.11.2015 09:08:40 (+0000)
Queries to: <scanner@victimdomain.tld
The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to doc(171)-12082016.wsf

This Hybrid Analysis shows the script downloading a file from www.hi-segno.com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2.com and www.homesplus.nf.net) but a trusted source tells me that the following download locations appear in different scripts:

birthday-cards.50webs.com/02bjJBHDs
bonmoment.web.fc2.com/02bjJBHDs
broda.50webs.com/02bjJBHDs
coachinglegend2.atspace.com/02bjJBHDs
dopelx.com/02bjJBHDs
einfachwalter.homepage.t-online.de/02bjJBHDs
files.zdaspb.ru/02bjJBHDs
kolkhoz.web.fc2.com/02bjJBHDs
muteofficial.web.fc2.com/02bjJBHDs
portraitstaffa.de/02bjJBHDs
preglitzer.heimat.eu/02bjJBHDs
scom2.web.fc2.com/02bjJBHDs
seinyco.es/02bjJBHDs
sportpferde-weihmayer.homepage.t-online.de/02bjJBHDs
studiocorrado.org/02bjJBHDs
sv-sportscars.nl/02bjJBHDs
tianooze.web.fc2.com/02bjJBHDs
www.bitupont.hu/02bjJBHDs
www.ceccosport.it/02bjJBHDs
www.herinvest.be/02bjJBHDs
www.hi-segno.com/02bjJBHDs
www.homesplus.nf.net/02bjJBHDs
www.meckem.de/02bjJBHDs
www.meteoerba.it/02bjJBHDs
www.milleniumbar.it/02bjJBHDs
www.nikawilliam.net/02bjJBHDs
www.oxxengarde.de/02bjJBHDs
www.planetk.it/02bjJBHDs
www.smilehi.info/02bjJBHDs


The malware phones home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
138.201.56.190/php/upload.php (Hetzner, Germany)

That Latvian network range is all bad, I recommend that you block the lot. The payload is Locky ransomware.

Recommended blocklist:
185.129.148.0/24
138.201.56.190


Thursday, 11 August 2016

Malware spam: "New Doc" / "Scanned by CamScanner" / "Sent from Yahoo Mail on Android"

This spam has a malicious attachment:

From:    Ashley [Ashley747@victimdomail.tld]
Date:    11 August 2016 at 11:13
Subject:    New Doc 6-6

Scanned by CamScanner


Sent from Yahoo Mail on Android

The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis of one sample shows a download location of fcm-makler.de/4GBrdf6 and my sources (thank you) tell me that there are many others, giving the following list:

151.ru/4GBrdf6
antonello.messina.it/4GBrdf6
fcm-makler.de/4GBrdf6
iceninegr.web.fc2.com/4GBrdf6
mccrarys.us/4GBrdf6
momoselok.ru/4GBrdf6
sando.oboroduki.com/4GBrdf6
www.EastsideAutoSalvage.com/4GBrdf6
www.fasulo.org/4GBrdf6
www.halloweenparty.go.ro/4GBrdf6
www.tommasobovone.com/4GBrdf6


The malware is Locky ransomware, and it phones home to the following locations:

185.129.148.19/php/upload.php (MWTV, Latvia)
195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife.net]
136.243.237.197/php/upload.php (Hetzner, Germany)

Recommended blocklist:
185.129.148.0/24
195.16.90.23
136.243.237.197

Thursday, 4 August 2016

Malware spam: "Business card" / "I have attached the new business card design." leads to Locky

This spam email has a malicious attachment:

From:    Glenna Johnson
Date:    4 August 2016 at 10:18
Subject:    Business card

Hello [redacted],

I have attached the new business card design.
Please let me know if you need a change


King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.

This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:

escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7


This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:

31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]

All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.

Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22






Wednesday, 3 August 2016

Malware spam: "As you directed, I send the attachment containing the data about the new invoices"

Another day, another Locky ransomware run:

From:    Marian Mcgowan
Date:    3 August 2016 at 11:15
Subject:    Fw: New invoices

As you directed, I send the attachment containing the data about the new invoices

Attached is a randomly-named ZIP file which contains a highly obfuscated .js script  which according to this Malwr analysis downloads a binary from..

blog-aida.cba.pl/2zensi7t

..when decrypted it creates a binary with a detection rate of 4/54. That same Malwr analysis shows it phoning home to:

93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm.in]

This IP was seen last night and it seems that there is a concurrent Locky spam run phoning home to:

185.129.148.19/php/upload.php (MWTV, Latvia)
89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv.com]

Both those IPs are in known bad blocks.

Recommended blocklist:
93.170.104.20
185.129.148.0/24
89.108.127.0/24



Tuesday, 5 July 2016

Malware spam: "Scanned image" leads to Locky

This fake document scan appears to come from within the victim's own domain but has a malicious attachment.

From:    administrator8991@victimdomain.com
Date:    5 July 2016 at 12:47
Subject:    Scanned image

Image data has been attached to this email.
Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52 and 6/52. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:

leafyrushy.com/98uhnvcx4x
sgi-shipping.com/98uhnvcx4x


There will be a lot more locations too. This drops a binary with a detection rate of 5/55 which appears to be Locky ransomware. Hybrid Analysis shows it phoning home to:

185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)


Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be be Locky ransomware.

Recommended blocklist:
185.106.122.0/24
185.129.148.0/24



Tuesday, 28 June 2016

Malware spam: "report" / "I致e attached the report you asked me to send." leads to Locky

This spam has a weird problem with its apostrophe and comes with a malicious attachment:

From:    Kris Ruiz
Date:    28 June 2016 at 10:38
Subject:    report

Hi info,

I致e attached the report you asked me to send.


Regards


Kris Ruiz
Head of Finance UKGI Planning

The details of the sender will vary from message to message.

Attached is a ZIP file containing components of the recipient's email address and the words "report" and/or "pdf". Contained within is a malicious .js script file with a name starting with "swift".

This analysis comes from a trusted third party (thank you again). The script downloads a file from one of the following locations:

300tomoli.it/j8m7ktu
4k18.com/dfg4ad
adbm.co.uk/q2bmmhz
atlantaelectronics.co.id/xe1370n
bbmarilu.it/hkl9d
bbvogliadimare.it/il4cc3e
bibliadarkorbit.za.pl/i59j41zo
bisericaromaneasca.ro/trslckn
bobbysinghwpg.com/x42honx
bordur32.ru/re23zcb7
cameramartusa.info/u0uolg9
centrosportivoiunco.it/e8uxd
certifiedbanker.org/qjxfba
cond.gribochechki.ru/1vmcl8l
depaardestal.nl/3vfr61
dobramu.za.pl/4pc3kd9p
dragon.obywateleuropy.eu/4u22bfst
dugganinternational.ca/ksx6dv7
edilperle.it/d1mys2g
euro-support.be/xaf5349p
focolareostuni.it/oqtkiw
ft.driftactive.za.pl/7b03ffv
fuckcraft.xorg.pl/8cn8zeo
hate-metal.com/kgp8v
hudebiah.net/nskx4
ilbalconcino2011.it/e4ao4kky
ingstroymash.ru/cwiivhxu
jd-products.nl/t57vc86
marxforschung.de/0e7ac
mr2peter.de/o5ci15o
mycreativeprint.com/w3d7z6
namifitnessclub.it/f6hi6k
newgeneration2010.it/gupwqe1
potolok-profit.ru/q39aie
sprintbus.com.pl/9h7b0qnx
staffsolut.nichost.ru/jwz8i9
stbb.pt/40gnvp9a
tanie-pranie.za.pl/9e607
tip.ub.ac.id/v9wcojln
turniejkrzyz.za.pl/he2013lf
usdavetrana.it/dn81o
vonenidan.de/m3mmis
www.centroinfantilelmolino.com/qtuuvm2
www.johnlodgearchitects.com/haqew
www.pececitos.com/9ehkrke


The file is then decrypted (although I don't have a sample yet) and appears to be Locky ransomware. It phones home to the following servers:

109.234.35.71 (McHost.ru, Russia)
185.146.169.16 (Pavel Poddubniy aka Cloudpro LLC, Russia)
193.9.28.254 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
194.31.59.147 (HostBar, Russia)
195.123.209.227 (Layer6 Networks, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)


Recommended blocklist:
109.234.35.71
185.146.169.16
193.9.28.254
194.31.59.147
195.123.209.227
217.12.223.88
217.12.223.89

Monday, 27 June 2016

Malware spam: "Requested document" / "The document you requested is attached" leads to Locky

This spam comes from various senders, and leads to Locky ransomware:

From:    Trudy Bonner
Date:    27 June 2016 at 15:39
Subject:    Requested document

Dear [redacted],

The document you requested is attached.

Best regards


Trudy Bonner
Group Director of Strategy
Attached is a ZIP file containing elements of the recipients email address, the words "document", "doc" or "scanned" plus a random number. Contained within is a random .js script beginning with unpaid.

Trusted external analysis (thank you as ever) shows the scripts downloading from one of the following locations:

192.186.246.134/~advancedptr/4kw2yb
210.171.0.30/~akfa8701/76p9su
216.218.93.172/~thelma2/7a4q7knx
217.172.226.2/~redpaluch/8ji21s5
217.172.226.2/~vikolor/3pdqsh
300tomoli.it/0qgidk55
3141592.ru/rvhijql
4k18.com/lpschs
80.244.134.169/x4jzt5
82.140.32.172/~hoddl/4etb1e1
adbm.co.uk/104ky
addonworks.com/aaotksj
angeelle.nichost.ru/sf0bm5rz
arogyaforhealth.com/apqbmvr
asliaypak.com/zcubi7
atlantaelectronics.co.id/kjdfbm
babycotsonline.com/hiy96z
beautifulhosting.com.au/ljtxwrr4
bisericaromaneasca.ro/amfcy
bobbysinghwpg.com/fx1jpyt
cameramartusa.info/qaghx
camera-test.hi2.ro/5w9tcm
certifiedbanker.org/faplav8m
clients.seospell.co.in/8jq6cu
climairuk.com/bv7haqcm
cond.gribochechki.ru/v84pn
delicious-doughnuts.net/t81of0k
empiredeckandfence.com/8wytfp
euro-support.be/jo1s8r3k
focolareostuni.it/1tl199rq
hudebiah.net/vyz44p8
immoclic.o2switch.net/mpzkos32
ingstroymash.ru/vi4hwfp
jd-products.nl/msjswnn
mycreativeprint.com/f9qa60q
potolok-profit.ru/w9oyt
sherlock.uvishere.com/2ujlndd
staffsolut.nichost.ru/wif31sug
tip.ub.ac.id/bzrnweoo
www.centroinfantilelmolino.com/2sgw0ch


The malware phones home to the following hosts:


51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
109.234.35.71 (McHost.ru, Russia)
185.82.216.61 (ITL, Bulgaria)
185.146.169.16 (Pavel Poddubniy aka CloudPro, Russia)
195.123.209.227 (ITL, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)


Lots of ITL recently... you might want to block /24s here instead of single IPs.

Recommended blocklist:
51.254.240.48
109.234.35.71
185.82.216.61
185.146.169.16
195.123.209.227
217.12.223.88
217.12.223.89


Malware spam: DOC1234 / document4321 / Document56789 leads to Locky

This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't).

The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.

Some examples

Subject: DOC541887
Attachment: DOC541887.zip

Subject: document36168
Attachment: document36168.zip

Subject: Document453567810
Attachment: Document453567810.zip

Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:

calcoastlogistics.com/09ujnb76v5?yNVICJbit=nFikKFve
labthanhthanhpg.com/09ujnb76v5?yNVICJbit=nFikKFve
patmagifts.asia/09ujnb76v5?yNVICJbit=nFikKFve
shadowbi.com/09ujnb76v5?yNVICJbit=nFikKFve
www.tmdmagento.com/09ujnb76v5?yNVICJbit=nFikKFve


Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:

51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
185.82.216.61 (ITL, Bulgaria)


Recommended blocklist:
51.254.240.48
217.12.223.88
195.123.209.227
185.82.216.61


Thursday, 23 June 2016

Malware spam: "Final version of the report" probably leads to Locky

This spam leads to malware:

From:    Julianne Pittman
Date:    23 June 2016 at 09:48
Subject:    Final version of the report

Dear info,

Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.


Kind regards


Julianne Pittman
Operations Director (CEO Designate)
The names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid".

The payload is not known at this time and analysis is pending, but is likely to be Locky ransomware similar to this.

UPDATE 1

Hybrid Analysis of three sample scripts [1] [2] [3] show three download locations (you can bet there will be many more):

bptec.ir/kvk9leho
promoresults.com.au/gx4al
boranwebshop.nl/ggc7ld


Each one drops a slightly different binary (VirusTotal results [4] [5] [6]) but at the moment automated analysis is inconclusive [7] [8] [9] [10] [11] [12]. I will try to post the C2 servers here if I get them.

UPDATE 2

A trusted third party analysis shows the following download locations (thank you!) :

3141592.ru/wyesvj
4k18.com/u69f97
aberfoyledental.ca/6dil05
abligl.com/8v62l4i4
adbm.co.uk/1o2wejz
angeelle.nichost.ru/y6s1y9h
arogyaforhealth.com/jujg6ru
atlantaelectronics.co.id/quv7rcc1
babycotsonline.com/ph42q6ue
barum.de/c2blg
beautifulhosting.com.au/rxn80
bilgoray.com/vi5sfu
bobbysinghwpg.com/pdqcqlnr
boranwebshop.nl/ggc7ld
bptec.ir/kvk9leho
cameramartusa.info/xrfpm
capitalwomanmagazine.ca/6k1oig
century21keim.com/c7xb2xy
certifiedbanker.org/obmv6590
cg.wandashops.com/evqbfwkx
clients.seospell.co.in/fkn67zy
climairuk.com/h32k491o
climatizareonline.ro/azkqs
cond.gribochechki.ru/zibni
dentalshop4you.nl/m22brjfz
disneyexperience.com/psyyhe
elviraminkina.com/ojyq1
euro-support.be/rdl3n7u
focolareostuni.it/0k2ren
freesource.su/ijugasq1
grantica.ru/6hjli
honeystays.co.za/siu2k
ideograph.com/k7qfsxx
imetinyang.za.pl/74hd4by5
immoclic.o2switch.net/styvuwti
jd-products.nl/xjld131
karl-lee.se/x23ft
margohack.za.pl/wkiokl
matvil8.freehostia.com/64tmb1
mycreativeprint.com/mqib9te
oakashandthorn.charybdis.seedboxes.cc/f7ge4y3k
pipt.wallst.ru/qojqp2
promoresults.com.au/gx4al
redpower.com.au/xlkdld
tip.ub.ac.id/k2e32vh
www.centroinfantilelmolino.com/60wfh
www.darkhollowcoffee.com/oqlyd9m
www.ellicottcitypediatrics.com/7d6sdl
www.keven.site.aplus.net/fmlonxl


C2 servers are at:

51.254.240.48 (Rackspace, US)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)


The malware uses the path /upload/_dispatch.php on the C2 servers.

Recommended blocklist:
51.254.240.48
91.219.29.41
217.12.223.88
195.123.209.227
93.170.169.188



/upload/_dispatch.php